Public legal information

Privacy Policy

How bratan collects, uses, shares, and protects your personal data under the GDPR.

Last updated: June 2, 2026

01

Controller and contact

The data controller for the personal data described in this Privacy Policy is: Poor-Plebs e.U., , Austria. Email: [email protected]. Full operator details are available on our Imprint page.

We are a small business and are not required to appoint a Data Protection Officer under Article 37 of the GDPR. For all data protection inquiries, please contact us at [email protected].

02

Scope

This Privacy Policy explains how we collect, use, share, and protect personal data in connection with the bratan website, customer dashboard, billing flows, and related hosting services.

This policy does NOT cover data processed within your container. Your agent instance may process personal data (e.g. conversations on your chosen chat platform — Telegram, Discord, or Slack — and AI interactions). For any such data, you are the data controller and are responsible for compliance with applicable data protection law. We do not monitor, access, or analyse content within your container.

03

Personal data we collect

Account data: Your name, email address, and hashed password. If you register using social login (e.g. Google), we also receive your provider user ID, display name, email address, and profile picture from the login provider.

Billing data: Your subscription tier, billing period dates, payment status, cancellation status, and Stripe customer identifier. Your payment card details are processed exclusively by Stripe and are never transmitted to or stored on our servers.

Service configuration data: Your chat-platform credentials (such as a Telegram bot token, Discord bot token, or Slack OAuth credentials), the corresponding bot identity (bot username or bot/workspace ID), your platform user ID where applicable, assigned server, and container status. When you provide an AI API key during setup, it is used to configure your container and is stored in encrypted form within the platform to enable service delivery.

Technical data: IP addresses, browser type and version, operating system, access timestamps, and HTTP request logs generated when you use the website and dashboard.

Support data: Any messages, correspondence, or feedback you send to us through support channels.

Data we do NOT collect: We do not collect or have access to your chat-platform conversations (Telegram, Discord, Slack), AI interactions, chat transcripts, files, or any other content stored within your container. We do not collect data from your AI provider about your usage.

05

Data sharing and recipients

We share personal data only with the following categories of recipients, and only to the extent necessary for service delivery:

Stripe, Inc. (USA): Payment processing. Stripe receives your payment card details, email, and transaction data. Stripe acts as an independent data controller for payment data. Privacy policy: stripe.com/privacy. Transfer safeguard: Standard Contractual Clauses (Article 46(2)(c) GDPR).

Hetzner Online GmbH (Germany): Server infrastructure and object storage. Hetzner hosts the physical servers that run your container. Personal data processed: technical data, container metadata. Location: EU (Germany/Finland). No international transfer.

Telegram FZ-LLC: If you choose Telegram as your chat platform, your Telegram bot token and bot username are used to connect your agent instance to Telegram. We do not transmit other personal data to Telegram. Conversations between you and your bot occur directly between your device and Telegram's servers via your personal bot token — this is container content for which you are the data controller (see Section 2). Your use of Telegram is governed by Telegram's own privacy policy. Legal basis: contract performance (Article 6(1)(b) GDPR).

Discord Inc. (USA): If you choose Discord as your chat platform, your Discord bot token and bot identity are used to connect your agent instance to Discord. We do not transmit other personal data to Discord. Conversations between you and your bot occur directly between your device and Discord's servers via your personal bot token — this is container content for which you are the data controller (see Section 2). Your use of Discord is governed by Discord's own privacy policy. Legal basis: contract performance (Article 6(1)(b) GDPR). Transfer safeguard: Standard Contractual Clauses (Article 46(2)(c) GDPR).

Slack Technologies LLC (a Salesforce company, USA): If you choose Slack as your chat platform, your Slack OAuth credentials (bot and signing tokens) and bot identity are used to connect your agent instance to your Slack workspace. We do not transmit other personal data to Slack. Conversations between your workspace members and your bot occur directly between their devices and Slack's servers — this is container content for which you are the data controller (see Section 2). Your use of Slack is governed by Slack's own privacy policy. Legal basis: contract performance (Article 6(1)(b) GDPR). Transfer safeguard: Standard Contractual Clauses (Article 46(2)(c) GDPR).

Resend, Inc. (USA): Email delivery. Resend receives your name and email address when we send service emails such as billing notifications, withdrawal waiver confirmations, and account updates and, if you opt in, optional marketing emails such as product updates, launch announcements, and promotions. For the email content we instruct Resend to send on our behalf, Resend acts as our data processor under a GDPR Article 28 agreement. For delivery metadata (such as bounces, opens, spam complaints, and IP address), Resend acts as an independent data controller for its own purposes of service operation, security, and fraud prevention. Transfer safeguard: Standard Contractual Clauses (Article 46(2)(c) GDPR).

Google LLC (USA): (a) Social login — If you register or log in using Google, Google transmits your name, email, and profile picture to us during authentication. (b) Analytics — We use Google Analytics 4 with Consent Mode v2 across our website and application. Analytics data is only collected with your explicit consent via our cookie consent banner. When you grant consent, we collect: page views, referral sources, and approximate location derived from IP address (client-side); and service lifecycle events such as subscription changes and provisioning status (server-side). We store an encrypted analytics identifier on your account to correlate server-side events with your session. You can change your consent preference at any time via the cookie consent banner, and revoking consent stops all analytics data collection immediately. Google may process this data outside the EEA. Transfer safeguard: EU adequacy decision / Standard Contractual Clauses. (c) Web fonts — Our website loads the Inter and JetBrains Mono typefaces from Google Fonts (fonts.googleapis.com / fonts.gstatic.com). When your browser fetches a font file, your IP address and User-Agent are transmitted to Google as a technical necessity for the request. No other personal data about you is included. Google's processing of this data is governed by the Google Privacy Policy. Transfer safeguard: Standard Contractual Clauses (Article 46(2)(c) GDPR).

Functional Software, Inc. dba Sentry (USA, processed in EU region): Application error monitoring. We use Sentry's EU-hosted instance to capture technical error reports and stack traces from our backend and frontend so we can diagnose and fix bugs. We do not intentionally transmit personal data to Sentry; events are scoped to technical and diagnostic data such as stack traces, request paths, browser type, and runtime environment. Personal data processed: technical/diagnostic data only. Location: EU. Transfer safeguard: Standard Contractual Clauses (Article 46(2)(c) GDPR).

Grafana Labs, Inc. (USA, processed in EU region): Application log aggregation via Grafana Cloud Loki. Server-side application logs are forwarded to Grafana Cloud's EU region for operational monitoring and incident response. We do not intentionally transmit personal data; log content is scoped to technical and diagnostic data such as request paths, status codes, and error context. Personal data processed: technical/diagnostic data only. Location: EU. Transfer safeguard: Standard Contractual Clauses (Article 46(2)(c) GDPR).

We do not sell, rent, or trade your personal data. We do not share data with advertisers or data brokers. We may disclose personal data to law enforcement or regulatory authorities if required by law or a valid court order.

06

International data transfers

Most of your data is processed within the European Economic Area (EEA), primarily on Hetzner servers in Germany.

Where data is transferred outside the EEA (Stripe, Google, Resend, Discord, and Slack in the USA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses adopted by the European Commission (Article 46(2)(c) GDPR) or reliance on adequacy decisions (Article 45 GDPR).

We only transfer personal data outside the EEA where legally required safeguards are in place to ensure an adequate level of data protection.

07

Data retention

We retain your personal data only as long as necessary for the purposes for which it was collected or as required by law:

Account data: Retained while your account is active. After account deletion or termination, account data is deleted within 30 days, except where longer retention is required by law.

Billing records: Retained for 7 years from the end of the financial year in which the transaction occurred, as required by Austrian tax law (Section 132 Bundesabgabenordnung, BAO).

Container data and backups: Deleted within 30 days of account closure or termination. Backups are overwritten on a rolling basis and are not retained beyond this period.

Technical logs (server access logs, error logs): Retained for 90 days for operational and security purposes, then deleted.

Support correspondence: Retained for 3 years after resolution for quality assurance and legal purposes, then deleted.

If we are involved in a legal dispute or legal obligation requires it, we may retain relevant data for the duration of the proceedings plus any applicable limitation period.

08

Your rights under the GDPR

As a data subject, you have the following rights under the GDPR. To exercise any of these rights, contact us at [email protected]:

Right of access (Article 15): You may request a copy of the personal data we hold about you, along with information about how it is processed.

Right to rectification (Article 16): You may request correction of inaccurate personal data or completion of incomplete data.

Right to erasure (Article 17): You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent. This right is subject to legal retention obligations (e.g. tax records).

Right to restriction (Article 18): You may request that we restrict the processing of your personal data in certain circumstances, such as while we verify the accuracy of data you have contested.

Right to data portability (Article 20): You may request your personal data in a structured, commonly used, and machine-readable format, and have it transmitted to another controller where technically feasible.

Right to object (Article 21): You may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

Right to withdraw consent (Article 7(3)): Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

We will respond to your request within one month. This period may be extended by two further months where requests are complex or numerous, in which case we will inform you of the extension within the first month. There is no fee for reasonable requests. We may charge a reasonable fee or refuse manifestly unfounded or excessive requests.

We may need to verify your identity before fulfilling a request, to ensure that personal data is not disclosed to an unauthorised person.

09

Cookies and similar technologies

We use strictly necessary cookies for the operation of the website and dashboard. These include session cookies (to maintain your login session) and CSRF tokens (to protect against cross-site request forgery). These cookies are essential for the service to function and do not require your consent under Section 165 of the Austrian Telekommunikationsgesetz 2021 (TKG 2021).

We use Google Analytics 4 with Google Consent Mode v2 to understand how visitors and users interact with our website and application. The Google Analytics script is loaded on production and staging environments, but analytics data collection is disabled by default via Consent Mode (analytics_storage: denied). No analytics data is sent to Google until you give explicit consent through our cookie consent banner, which is available on all pages. Your consent preference controls both client-side analytics (page views, navigation) and server-side analytics (service lifecycle events such as subscription changes). If you do not consent, no analytics data is collected. You can change your cookie preferences at any time via the banner.

We do not use advertising cookies, tracking pixels, or other non-essential tracking technologies beyond the analytics cookies described above.

10

Security

We implement appropriate technical and organisational measures to protect your personal data, including: encryption of personal data at rest and in transit (TLS); encrypted storage of email addresses in our database; container isolation ensuring each tenant runs in a separate, hardened container with no access to other tenants' data; role-based access controls following the principle of least privilege; regular security reviews of our infrastructure.

No internet-based service can guarantee absolute security. While we take reasonable and proportionate measures to protect your data, we cannot guarantee that unauthorised access, disclosure, or loss will never occur. We will notify you and the competent supervisory authority of any personal data breach in accordance with Articles 33 and 34 of the GDPR where required.

11

Children

The service is not directed at persons under the age of 16. We do not knowingly collect personal data from children under 16. If we learn that we have collected personal data from a child under 16 without appropriate parental consent, we will take steps to delete that data promptly. If you believe we have collected data from a child under 16, please contact us at [email protected].

12

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The updated policy will be posted on this page with a new "Last updated" date.

For material changes that affect how we process your personal data, we will notify you at least 30 days before the changes take effect by email to the address associated with your account. Your continued use of the service after the effective date constitutes acknowledgment of the updated policy.

13

Supervisory authority and complaints

You have the right to lodge a complaint with a data protection supervisory authority if you believe our processing of your personal data infringes the GDPR. The competent authority in Austria is:

Österreichische Datenschutzbehörde (Austrian Data Protection Authority), Barichgasse 40-42, 1030 Wien, Austria. Email: [email protected]. Website: www.dsb.gv.at.

You may also lodge a complaint with the supervisory authority in the EU member state of your habitual residence, place of work, or the place of the alleged infringement.

14

Contact

For any questions about this Privacy Policy or to exercise your data protection rights, please contact us at: Poor-Plebs e.U., , Austria. Email: [email protected]. Full operator details are available on our Imprint page.